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Given a set of interacting components with non-deterministic variable update and given safety re- 
quirements, the goal of priority synthesis is to restrict, by means of priorities, the set of possible 
interactions in such a way as to guarantee the given safety conditions for all possible runs. In dis- 
tributed priority synthesis we are interested in obtaining local sets of priorities, which are deployed 
in terms of local component controllers sharing intended next moves between components in local 
neighborhoods only. These possible communication paths between local controllers are specified 
by means of a communication architecture. We formally define the problem of distributed priority 
synthesis in terms of a multi-player safety game between players for (angelically) selecting the next 
transition of the components and an environment for (demonically) updating uncontrollable vari- 
ables. We analyze the complexity of the problem, and propose several optimizations including a 
solution-space exploration based on a diagnosis method using a nested extension of the usual attrac- 
tor computation in games together with a reduction to corresponding SAT problems. When diagnosis 
fails, the method proposes potential candidates to guide the exploration. These optimized algorithms 
for solving distributed priority synthesis problems have been integrated into the VissBIP framework. 
An experimental validation of this implementation is performed using a range of case studies includ- 
ing scheduling in multicore processors and modular robotics. 



1 Introduction 

Distributed computing assemblies are usually built from interacting components with each component 
realizing a specific, well defined capability or service. Such a constituent component can be understood 
as a platform-independent computational entity that is described by means of its interface, which is 
published and advertised in the intended hosting habitat. 

In effect, computing assemblies constrain the behavior of their constituent components to realize 
goal-directed behavior, and such a goal-directed orchestration of interacting components may be re- 
garded as synthesizing winning strategies in a multi-player game, with each constituent component and 
the environment a player. The game is won by the component players if the intended goals are achieved, 
otherwise the environment wins. The orchestration itself may be centralized in one or several specialized 
controller components or the control may be distributed among the constituent components. Unfortu- 
nately, distributed controller synthesis is known to be undecidable [20] in theory even for reachability 
or simple safety conditions [ 14]. A number of decidable subproblems have been proposed either by re- 
stricting the communication structures between components, such as pipelined, or by restricting the set 
of properties under consideration |[T8l[T7l[T9l[T2ll . 

In this paper we describe a solution to the distributed synthesis problem for automatically synthesiz- 
ing local controllers which are distributed among the constituent components. More precisely, given a 
set of interacting components with non-deterministic variable update and given a safety requirement on 
the overall system, the goal of disuibuted priority synthesis is to restrict, by means of priorities on inter- 
actions, the set of possible interactions in such a way as to guarantee the given safety conditions. The 
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structure of these priorities is restricted in order to deploy the corresponding controllers in a distributed 
way, and communication between these local controllers is restricted based on a given communication 
architecture. 

For example, Figure [T] depicts two interacting 
components C\ and C2 with states idle and used 
and transitions a through d with no further syn- 
chronization between the components. The goal 
is to never simultaneously be in the risk state used. 
This goal is achieved by placing certain priorities risk = {(used, used)} Priority fix: {a < d, c -< b} 
on possible interactions. The priority a < d, for 

example, inhibits transitions of C\ from state idle Figure 1: A sample example, 

to used, whenever C2 is ready to leave the state used. This constraint might be used as the basis of a local 
controller for C\ as it is informed by C2 about its intended move using the given communication channel. 
Since many well-known scheduling strategies can be encoded by means of priorities on interactions |[T3l . 
priority synthesis is closely related to solving scheduling problems. In this way, the result of distributed 
priority synthesis may also be viewed as a distributed scheduler. 

The rest of the paper is structured as follows. Section [2] contains background information on a 
simplified variant of the Behavior-Interaction-Priority (BIP) modeling framework [Q]]. The correspond- 
ing priority synthesis problem corresponds to synthesizing a state-less winning strategy in a two-player 
safety game, where the control player (angelically) selects the next transition of the components and 
the environment player (demonically) updates uncontrollable variables. In Section [3] we introduce the 
notion of deployable communication architectures and formally state the distributed priority synthesis 
problem. Whereas the general distributed controller synthesis problem is undecidable [20] we show 
that distributed priority synthesis is NP-complete. Overall, distributed priority synthesis is decidable 
over all communication architectures, as the methodology essentially searches for a strategy of a certain 
"shape", where the shape is defined in terms of priorities. Section[4]contains a solution to the distributed 
synthesis problem, which is guaranteed to be deployable on a given communication architecture. This 
algorithm is a generalization of the solution to the priority synthesis problem in ifTOl |9]- It integrates 
essential optimizations based on symbolic game encodings including visibility constraints, followed by 
a nested attractor computation, and lastly, solving a corresponding (Boolean) satisfiability problem by 
extracting fix candidates while considering architectural constraints. Section [5] describes some details 
and optimization of our implementation, which is validated in Section [6] against a set of selected case 
studies including scheduling in multicore processors and modular robotics. Section [7] contains related 
work and we conclude in Section[8] Due to space limits, we leave proofs of propositions to our technical 
report 00. 

2 Background 

Our notion of interacting components is heavily influenced by the Behavior-Interaction-Priority (BIP) 
framework [ 1 ] which consists of a set of automata (extended with data) that synchronize on joint labels; 
it is designed to model systems with combinations of synchronous and asynchronous composition. For 
simplicity, we omit many syntactic features of BIP such as hierarchies of interactions and we restrict 
ourselves to Boolean data types only. Furthermore, uncontrollability is restricted to non-deterministic 
update of variables, and data transfer among joint interaction among components is also omitted. 

Let X be a nonempty alphabet of interactions. A component C, of the form (Lj,V,-, £;,r,-,Z9, e9) is 
a transition system extended with data, where L, is a nonempty, finite set of control locations, c H is 
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a nonempty subset of interaction labels used in C,, and Vj is a finite set of (local) variables of Boolean 
domain B - {True, False}. The set fi(V,) consists of all evaluations e : V,- — » B over the variables V,-, and 
S(Vi) denotes the set of prepositional formulas over variables in Vj-; variable evaluations are extended 
to prepositional formulas in the obvious way. T ( is the set of transitions of the form (l,g,cr,f,l'), where 
e Li respectively are the source and target locations, the guard g e ( B(V\) is a Boolean formula over 
the variables Vi, cr € £; is an interaction label (specifying the event triggering the transition), and / : Vi — > 
(2 B \ 0) is the update relation mapping every variable to a set of allowed Boolean values. Finally, /? e L, 
is the initial location and e. e £(Vj) is the initial evaluation of the variables. 

A system 5 of interacting components is of the form (C,1,,P), where C - {C,}i<,< m is a set of com- 
ponents, the set of priorities V c 2 SxS is irreflexive and transitive lfT3l . The notation cr\ < cr 2 is usually 
used instead of (o~\,o~2) e 'P, and we say that o~ 2 has higher priority than o~\. A configuration (or state) 
c of a system S is of the form (h,e\,...,l m ,e m ) with /, e Li and e; € £(V,) for all i € {l,...,ra}. The 
initial configuration cq of S is of the form (l^e®, . . . ,e% ). An interaction cr e E is (globally) enabled 
in a configuration c if, first, joint participation holds for cr, that is, for all i 6 {1,.. . ,m}, if cr e £,-, then 
there exists a transition (/,-,§,, cr,/i-,/p € T, with e,-(gf) = True, and, second, there is no other interaction of 
higher priority for which joint participation holds. Z c denotes the set of (globally) enabled interactions 
in a configuration c. For cr € S c , a configuration c' of the form (l' v e\,. . .,l' m ,e' m ) is a cr-successor of c, 

denoted by c — > c' , if, for all i in {1 , . . . , m}: if cr £ E; , then = Z,- and = e,- ; if cr e X,- and (for some) 
transition of the form (lj,gi,cr,fj, € Ti with £,(<?;) - True, e\ - ei[vi/di] with cf/ e /(v,-). 

A ran is of the form cq,. .. ,Ck with cq the initial configuration and cj > c,-+i for all 7 : < j < k. In 

this case, ct is reachable, and Us denotes the set of all reachable configurations from cq. Notice that such 
a sequence of configurations can be viewed as an execution of a two-player game played alternatively 
between the control Ctrl and the environment Env. In every position, player Ctrl selects one of the 
enabled interactions and Env non-deterministic ally chooses new values for the variables before moving 
to the next position. The game is won by Env if Ctrl is unable to select an enabled interaction, i.e., the 
system is deadlocked, or if Env is able to drive the run into a bad configuration from some given set 
Crisk £ Cs- More formally, the system is deadlocked in configuration c if there is no c' e Ks and no 
cr e E c such that c — » c' ', and the set of deadlocked states is denoted by Cdead- A configuration c is safe if 
c £ Cdead^Crisk, and a system is safe if no reachable configuration is unsafe. 

Definition 1 (Priority Synthesis) Given a system S = (C,2,,P) together with a set C r i s k £ Cs of risk 
configurations, P + cLx! is a solution to the priority synthesis problem // the extended system (C, X, V U 
y+) is safe, and the defined relation ofP U !P + is also irreflexive and transitive. 

For the product graph induced by system S, let Q be the set of vertices and 6 be the set of transitions. 
In a single player game, where Env is restricted to deterministic updates, finding a solution to the priority 
synthesis problem is NP-complete in the size of (\Q\ + \6\ + ifTTTl . 

(Example in Fig. [T]l The system S has two components Cy,C2 (each component does not use any 
variable), uses interactions E = {a,b,c,d}, and has no predefined priorities. The initial configuration 
is (idle, idle). Define the set of risk states to be {(used, used)}, then priority synthesis introduces {a < 
d,c <b\ as the set of priorities to avoid deadlock and risk states. Such a set ensures that whenever one 
component uses the resource, the other component shall wait until the resource is released. E.g., when 
C2 is at used and C\ is at idle, priority a < d can force a to be disabled. 

Examples of using non-controllable environment updates can be found in our extended report [8]. 
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3 Distributed Execution 

We introduce the notion of (deployable) communication architecture for defining distributed execution 
for a system S of interacting components. Intuitively, a communication architecture specifies which 
components exchange information about their next intended move. 

Definition 2 A communication architecture Com for a system S of interacting components is a set of 
ordered pairs of components of the form (d,C j) for Ci,Cj € C. In this case we say that d informs C; 
and we use the notation Ci ~» Cj. Such a communication architecture Com is deployable if the following 
conditions hold for all o~, t € X and [l,...,m}: 

• (Self-transmission) V/ € {1, . . . ,m), Ci ~» C, € Com. 

• (Group transmission) If a e X* n Xy then Cj ~» C,, C, ~» C ; € Com. 

• (Existing priority transmission) If cr <t ef, cr € T,j, and t e X; ?/ze« C, ~» Cj € Com. 

Therefore, components that possibly participate in a joint interaction exchange information about next 
intended moves (group transmission), and components with a high priority interaction r need to inform 
all components with an interaction of lower priority than t (existing priority transmission^] We make 
the following assumption. 

Assumption 1 (Compatibility Assumption) A system under synthesis has a deployable communica- 
tion architecture. 

(Example in Fig. The communication architecture Com in Fig. [T] is {Ci ~» Ci,C2 ~» C2,C2 ~» Ci). 
The original system S under Com is deployable, but the modified system which includes the synthesized 
priorities {a < d,c < b) is not, as it requires C\ ~» C2 to support the use of priority c <b (when C2 wants 
to execute c, it needs to know whether Ci wants to execute b). 

Next we define distributed notions of enabled interactions and behaviors, where all the necessary 
information is communicated along the defined communication architecture. 

Definition 3 Given a communication architecture Com for a system S, an interaction cr is visible by 
Cj if Ci ~» Cj for all i € {l,...,m} such that cr e X,. Then for configuration c = (l\,e\,...,l m ,e m ), an 
interaction cre'Eis distributively-enabled (at c) if: 

• (Joint participation: distributed version) for all i with cr € X,-. - cr is visible by d, and there exists 
(li,gi,cr,_,_) e Ti with e,(gi) = True. 

• (No higher priorities enabled: distributed version) for all r e X with o~ <t, and r is visible by Ci: 
there is a j € [l,...,m] such that r e X ; - and either (lj,gj,r, _, _) g Tj or for every (lj,gj,r, _, _) e 7\-, 
e y(^) = F^lse. 

A configuration c' = (l' x ,e\,. . . , l' m ,e' m ) is a distributed cr-successor of c if cr is distributively-enabled 
and c' is a cr-successor of c. Distributed runs are runs of system S under communication architecture 
Com. 

Any move from a configuration to a successor configuration in the distributed semantics can be 
understood as a multi-player game with (|C| + 1) players between controllers Ctrl, for each component 
and the external environment Env. In contrast to the two-player game for the global semantics, Ctrl, now 
is only informed on the intended next moves of the components in the visible region as defined by the 
communication architecture, and the control players play against the environment player. First, based 



For the example in the introduction, to increase readability, we omit listing the communication structure for self- 
transmission and group transmission. 
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on the visibility, the control players agree (cmp. Assumption [2] below) on an interaction cr e S c , and, 
second, the environment chooses a cr-enabled transition for each component C, with cr € X,-. Now the 
successor state is obtained by local updates to the local configurations for each component and variables 
are non-deterministically toggled by the environment. 

Proposition 1 Consider a system S = (C,Z,!P) under a deploy able communication architecture Com. 
(a) If cr € Z is globally enabled at configuration c, then cr is distributively-enabled at c. (b) The 
set of distributively-enabled interactions at configuration c equals E c . (c) If configuration c has no 
distributively-enabled interaction, it has no globally enabled interaction. 

From the above proposition (part c) we can conclude that if configuration c has no distributively- 
enabled interaction, then c is deadlocked (c e Cdead)- However we are looking for an explicit guarantee for 
the claim that the system at configuration c is never deadlocked whenever there exists one distributively- 
enabled interaction in c. This means that whenever a race condition over a shared resource happens, it 
will be resolved (e.g., via the resource itself) rather than halting permanently and disabling the progress. 
Such an assumption can be fulfilled by variants of distributed consensus algorithms such as majority 
voting (MJRTY) Q. 

Assumption 2 (Runtime Assumption) For a configuration c with |E C | > 0, the distributed controllers 
Ctrlj agree on a distributively-enabled interaction cr € S c /or execution. 

The assumption assumes that the distributed semantics of a system can be implemented as the global 
semantics [4]. With the above assumption, we then define, given a system S = (C,E,"P) under a commu- 
nication architecture Com, the set of deadlock states of S in distributed execution to be Cdist.dead - (c) 
where c has no distributively-enabled interaction. We immediately derive Cdist.dead = Cdead, as the left 
inclusion (Cdist.dead £ Cdead) is the consequence of Proposition [T] and the right inclusion is trivially true. 
With such an equality, given a risk configuration C r isk an d global deadlock states Cdead, we say that sys- 
tem S under the distributed semantics is distributively-safe if there is no distributed run co,...,c& such 
that Ck e Cdead U C r isk', a system that is not safe is called distributively -unsafe. 

Definition 4 Given a system S - (C,E,!P) together with a deploy able communication architecture Com, 
the set of risk configurations Crisk £= Cs> a set °f priorities ( Pd+ is a solution to the distributed priority 
synthesis problem if the following holds: I) PuPd+ is transitive and irreflexive. 2) (CI.PuP^) is 
distributively-safe. 3) For all i, j e { 1 , . . . ,m] s.t. cr e relj, if ' cr <t ePU r Pd+ then Cj ~» C, € Com. 

The 3rd condition states that newly introduced priorities are indeed deployable. Notice that for system S 
with a deployable communication architecture Com, and any risk configurations Crisk an d global dead- 
lock states Cdead, a solution to the distributed priority synthesis problem is distributively-safe iff it is 
(globally) safe. Moreover, for a fully connected communication architecture, the problem of distributed 
priority synthesis reduces to (global) priority synthesis. 

Theorem 1 Given system S - (C,X,!P) under a deployable communication architecture Com, the prob- 
lem of distributed priority synthesis is NF '-complete to \Q\ + \5\ + where \Q\ and \S\ are the size of 
vertices and transitions in the product graph induced by S, provided that \C\ 2 < \Q\ + \6\ + |X|. 

(Sketch; see technical report [8] for full proof) First select a set of priorities (including f) and check 
if they satisfy transitivity, irreflexivity, architectural constraints. Then check, in polynomial time, if the 
system under this set of priorities can reach deadlock states; hardness follows from hardness of global 
priority synthesis. 

(Example in Fig. The priority set {a < c,a < d) is a feasible solution of distributed priority synthesis, 
as these priorities can be supported by the communication C2 ~» C\. 
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Figure 2: The symbolic encoding for the system in Fig.[T] 



4 Algorithmic Issues 

It is not difficult to derive from the NP-completeness result (Section [3]) a DPLL-like search algorithm 
(see technical report El for such an algorithm), where each possible priority cr < t is represented as 
a Boolean variable cr < t . If cr < t is evaluated to True, then it is introduced in the priority. Then 
the algorithm checks if such an introduced set is sufficient to avoid entering the risk. Notice, however, 
that checking whether a risk state is reachable is expensivd^ As an optimization we therefore extend the 
basic search algorithm above with a diagnosis-based fixing process. In particular, whenever the system is 
unsafe under the current set of priorities, the algorithm diagnoses the reason for unsafety and introduces 
additional priorities for preventing immediate entry into states leading to unsafe states. If it is possible 
for the current scenario to be fixed, the algorithm immediately stops and returns the fix. Otherwise, 
the algorithm selects a set of priorities (from reasoning the inability of fix) and uses them to guide the 
introduction of new priorities in the search algorithm. 

The diagnosis-based fixing process proceeds in two steps: 
(Step 1: Deriving fix candidates) Game solving is used to derive potential fix candidates represented as 
a set of priorities. In the distributed case, we need to encode visibility constraints: they specify for each 
interaction cr, the set of other interactions ~L a c Z visible to the components executing cr (Section 4.1 1. 
With visibility constraints, our game solving process results into a nested attractor computation (Sec- 
tion|42"l). 

(Step 2: Fault-fixing) Then create from fix candidates one feasible fix via solving a corresponding 
SAT problem, which encodes properties of priorities and architectural restrictions (Section |4~3| ). If this 
propositional formula is unsatisfiable, then an unsatisfiable core is used to extract potentially useful 
candidate priorities. 



4.1 Game Construction 

Symbolic encodings of interacting components form the basis of reachability checks, the diagnosis pro- 
cess, and the algorithm for priority fixing (here we use P for ftmn)- In particular, symbolic encodings of 
system S = (C,1,,P) use the following propositional variables: 

• indicates whether it is the controller's or the environment's turn. 



2 This suffers from the state-explosion problem. Therefore, if the size of the input is defined not to be the set of all reachable 
states but rather the number of components together with the size of each component, the problem is in PSPACE. 
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Algorithm 1: Generate controllable transitions and the set of deadlock states 

input : System S = (C = (C\, . . .,C m ),l,,P), visibility constraint Vis^ where ui.^eS 
output: Transition predicate Tctrl f° r control and the set of deadlock states Cdead 
begin 

let predicate T ar \ = False, Cdead '■= True 
for cr 6 £ do 
^ let predicate Po- := True 

for cr e Z do 

for i = j 1 , . . . , m( do 

L if & e then ^o- '■ — Po- A \fm,a-,f,l')eT, (enc(l) A g) 

Cdead ■ — Cdead A 'Pr 

for cti e Z do 

let predicate Tcr, := pOA^pO' AP a - 1 A enc'(<Ti) A cK 
for o"2 £ £,<T2 # trj do 



= 7"<n A(7> <-»o-i) 



else To-, :=To-, A-icr' 

for i= {l,...,m} do 

|_ To-i := To-, a Aver, y <-> / a /\ veV . v <-» V 

Tclrl '■= Tclrl^Tcr^ 

for cri < <T2 e P do 

T«w := T crr ; A ((a-[ A cr^) -> -nencVi )); 
T n =T clr , A. (cr\ A. ct' 2 ); T cM :=T ctr ,\T 12; 
T l2 ,fix :=(3o-; :ri 2 )A(-o-' 1 ); 

T c t r l '■= T c ,rlVTl2,fix 

return T clr i, Cdead 



• A-{a\,.. - ,ariog 2 Pll) f° r tne binary encoding enc(cr) of the chosen interaction cr (which is agreed 
by distributed controllers for execution, see Assumption [2]). 

• Uo-esl "! are the variables representing interactions to encode visibility. Notice that the same letter 
is used for an interaction and its corresponding encoding variable. 

• UfcU Yi, where F,- - fjn , . . . ,y,fc} for the binary encoding enc{l) of locations Z e I4. 

• U™ i Uvev.M are the encoding of the component variables. 

Primed variables are used for encoding successor configurations and transition relations. Visibility con- 
straints Vis^ e {True, False} denote the visibility of interaction t over another interaction cr. It is com- 
puted statically: such a constraint Vis^ holds iff for Ct,Cj e C where r e Z, and cr € Xy, C, ~» C/ e Com. 
(Example in Fig. [I} We illustrate the symbolic game encoding using Fig. [2] to offer an insight. Circles 
are states which is the turn of the controller (pO = True) and squares are those of the environment's 
turn (pO = False). The system starts with state sq and proceeds by selecting an interaction that is 
distributively enabled. E.g., C\ may decide to execute a, and the state then goes to S2- In S2, we have 
enc(a) to represent that a is under execution. We also have {a,b,c,d) as the encoded visibility, as C2 ~» Ci 
and the availability of c and d can be passed. This is used to represent that when a is selected, C\ is sure 
that c is enabled at C2. Then as no non-deterministic update is in the system, the environment just moves 
to the successor by updating the local state to the destination of the interaction a. Notice that if C2 decides 
to execute c, the play enters state 55, which has visibility [d,b,c, d). Such a visibility reflects the fact that 
when c executes, C2 is not aware of the availability of C\ to execute a, which is due to the architectural 
constraint. 

Following the above explanation, Algorithms [T] and [2] return symbolic transitions T ctr i and 7~ env for 
the control players [J™ j Ctrl, and the player Env respectively, together with the creation of a symbolic 
representation Cdead for the deadlock states of the system. Line 1 of algorithm [T] computes when an 



64 



Distributed Priority Synthesis 



Algorithm 2: Generate uncontrollable updates 

input : System S = (C = (Ci, ... ,C„,),I.,P) 
output: Transition predicate T em , for environment 
begin 

let predicate T env := False 
for cr e E do 

let predicate T a := -<pQA pO' 

for i = {l,..., in] do 
if cr e X, then 

1 L r,r := r <r A V(/,g, [ r,/,;')er i (™cWAgAenc'(/')Aenc(o-)Aenc'(o-)A /\ veV . U ee/(v) v' <-> e) 

for <T[ e S,tri ?t cr do 

2 | 7V := TV A a-', = False 

for i = {l,..., in] do 

3 |_ if <ri Sj then 7V := 7V a /\ ye y i y y' a Avev ; v «-» v' 

Tenv ■— Tenv V T (T 

return 7" env 



interaction cr is enabled. Line 2 summarizes the conditions for deadlock, where none of the interaction is 
enabled. The computed deadlock condition can be reused throughout the subsequent synthesis process, 
as introducing a set of priorities never introduces new deadlocks. In line 3, T (Tl constructs the actual 
transition, where the conjunction with enc'(cri) indicates that cr\ is the chosen interaction for execution. 
Tr, is also conjoined with cr' y as an indication that cr\ is enabled (and it can see itself). Line 4 and 5 
record the visibility constraint. If interaction o~2 is visible by o~\ (Vis^ = True), then by conjoining it 
with (P(r 2 <-» cr' 2 ), To-, explicitly records the set of visible and enabled (but not chosen) interactions. If 
interaction o- 2 is not visible by cr\, then the encoding conjuncts with -<cr 2 . In this case o~ 2 is treated as if 
it is not enabled (recall state s$ in Fig. [2]): if cr\ is a bad interaction leading to the attractor of deadlock 
states, we cannot select o"2 as a potential escape (i.e., we cannot create fix-candidate cr\ < cri), as o~\ < cr^ 
is not supported by the visibility constraints derived by the architecture. Line 6 keeps all variables and 
locations to be the same in the pre- and postcondition, as the actual update is done by the environment. 
For each priority a\ < cr 2 , lines from 8 to 1 1 perform transformations on the set of transitions where both 
o~\ and o~2 are enabled. Line 8 prunes out transitions from T ctr i where both cr\ and cr 2 are enabled but cr\ 
is chosen for execution. Then, the codes in lines 9 to 11 ensure that for remaining transitions T12, they 
shall change the view as if cry is not enabled (line 10 performs the fix). T ctr i is updated by removing T12 
and adding Ti2,/«. 

Proposition 2 Consider configuration s, where interaction cr is (enabled and) chosen for execution. 
Given r eUat s such that the encoding t' = True in Algorithm^ then Vis^. = True and interaction r is 
also enabled at s. 

Proposition 3 Cdead as returned by algorithm^encodes the set of deadlock states of the input system S. 

In Algorithm[2j the environment updates the configuration using interaction cr based on the indicator 
enc(cr). Its freedom of choice in variable updates is listed in line 1 (i.e., U ee /( V )v' <-> e). Line 2 sets all 
interactions cr\ not chosen for execution to be false, and line 3 sets all components not participated in cr 
to be stuttered. 

4.2 Fixing Algorithm: Game Solving with Nested Attractor Computation 

The first step of fixing is to compute the nested-risk-attractor from the set of bad states C r isk^ Cdead- Let 
Vctri (7~ctri) and V env (7~ env ) be the set of control and environment states (transitions) in the encoded game. 
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Algorithm 3: Nested-risk-attractor computation 



input : Initial state cq, risk states C r j s k, deadlock states dead, set of reachable states R,s({co}) and symbolic transitions T ctr i, T eml 
from Algorithm^and[2] 

output: (1) Nested risk attractor NestAttr env (Criit UCrf eo d) and (2) Tf c T ctr i, the set of control transitions starting outside 
NestAttr e „ v (C drad UC risk ) but entering NestAttr„ lv (C ris t UC rfrarf ). 

begin 

// Create architectural non-visibility predicate 
let Esc := False 
for <Tj e Z do 

let EsCo-; := enc'(<r,) 

for <Tj e X,crj + a-j do Esc a - i ■= Esc^ a -icr'. 
Esc := Escv(EsCo-, Ao-J) 

// Part A: Prune unreachable transitions and bad states, "%({co)) is the current set of reachable 
states 

Tdrl :=r c «ARs({c }),r e „ v :=r„,-/A« s ({f )); Cdead ■= Cdead A K S ({c }), C Hsk \= C risk A %({c )) 

// Part B: Solve nested-safety game 



let NestedAttr,, 



--CdeadVCriA, NestedAttr,, 



: False 



while True do 

// B.l Compute risk attractor of NestedAttr p , c 
let Attr := compute_risk_attr(NestedAttr pre ,T em ,,T c „-/) 

// B.2 Generate transitions with source in -■Attr and destination in Attr 
PointTo := Tctri A SUBS((3~' : Attr), E, 3')) 
OutsideAttr := -iAttrA(HH' : T ctr i) 
T := PointTo A OutsideAttr 

// B . 3 Add the source vertex of B . 2 to NestedAttr 
newBadStates := 3H' : (T a Esc) 



NestedAttr,,. 



: Attr v newBadStates 



// B.4 Condition for breaking the loop 



if NestedAttr,,„ < 
else NestedAttr,, 



NestedAttr pos , then break 
:= NestedAttr„ osf 



// Part C : extract T f 

PointToNested := T ct rl A SUBS((3S' : NeStedAttr pre ), H, 5 
OutsideNestedAttr := -. Nested Attr,„- C a (35' : T ct ri) 
T f := PointToNested A OutsideNestedAttr 
return NesXAttr e „ r (Cdead'JCrisk) ■= NestedAttr,,„, T f 



I')) 



Let risk-attractor Attr CTV (Z) := \J keN attr k env (X), where attr CTV (Z) := XU {v € V env \ vT env r\X± 0} U {v € 
V ctr i 1 + vT c tri £ X}, i.e., ai\r env (X) extends state sets X by all those states from which either environment 
can move to X within one step or control cannot prevent to move within the next step. {vT env denotes 
the set of environment successors of v, and v7~ ctr i denotes the set of control successors of v.) Then 
Attr env (C„^ U Cdead) ■- Uke^3A^env(C risk ^ Cdead) contains all nodes from which the environment can 
force any play to visit the set C r isk^ Cdead ■ 

(Example in Fig. [TJ Starting from the risk state s\\ = (used, used), in attractor computation we first 
add {510,57} into the attractor, as they are environment states and each of them has an edge to enter the 
attractor. Then the attractor computation saturates, as for state 53 and s&, each of them has one edge to 
escape from entering the attractor. Thus M.r env (Crisk U Cdead) = i^w, *7> *n}- 

Nevertheless, nodes outside the risk-attractor are not necessarily safe due to visibility constraints. We 
again use Fig. [2] to illustrate such a concept. State 53 is a control location, and it is outside the attractor: 
although it has an edge S3 — > sj which points to the risk-attractor, it has another edge 53 — > su which 
does not lead to the attractor. We call positions like 53 as error points. Admittedly, applying priority 
c < b at S3 is sufficient to avoid entering the attractor. However, as Vis£ = False, then for C2 who tries to 
execute c, it is unaware of the enableness of b. So c can be executed freely by C2. Therefore, we should 
add S3 explicitly to the (already saturated) attractor, and recompute the attractor due to the inclusion of 
new vertices. This leads to an extended computation of the risk-attractor (i.e., nested-risk-attractor). 
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Definition 5 The nested-risk-attractor NestAttr em ,(C r i s k ] J Cdead) is the smallest superset of h\\x env (C r isk U 
Cdead) such that the following holds. 

1. For state c NestAttr env (C r i s k^ Cdead), where there exists a (bad-entering) transition t e T ctr i with 
source c and target d e NestAttr env (C r isk^ Cdead): 

• (Good control state shall have one escape) there exists another transition f € T ctr i such that 
its source is c but its destination c" £ NestAttr env (C 'risk U Cdead)- 

• (Bad-entering transition shall have another visible candidate) for every bad-entering transi- 
tion t of c, in the encoding let o~ be the chosen interaction for execution (enc'(cr) = True). 
Then there exists another interaction r such that, in the encoding, V = True. 

2. (Add if environment can enter) If v e V env , and vT env n NestAttr env (C r isk U Cdead) + % then v e 
NestAttr em ,(C risk u Cdead)- 

Algorithm[3]uses a nested fixpoint for computing a symbolic representation of a nested risk attractor. 
The notation 3S (3E') is used to represent existential quantification over all umprimed (primed) variables 
used in the system encoding. Moreover, we use the operator SUBS(X, S,S'), as available in many BDD 
packages, for variable swap (substitution) from unprimed to primed variables in X. For preparation 
(line 1 to 3), we first create a predicate, which explicitly records when an interaction cr, is enabled and 
chosen (i.e., = True and enc'(cr;) = True). For every other interaction cry, the variable o~'. is evaluated 
to False in BDD (i.e., either it is disabled or not visible by o~,, following Algorithm[T| line 4 and 5). 

The nested computation consists of two while loops (line 4, 5): B.l computes the familiar risk attrac- 
tor (see definition stated earlier, and we refer readers to [8] for concrete algorithms), and B.2 computes 
the set of transitions T whose source is outside the attractor but the destination is inside the attractor. 
Notice that for every source vertex c of a transition in T: (1) It has chosen an interaction cr el, to execute, 
but it is a bad choice. (2) There exists another choice r whose destination is outside the attractor (other- 
wise, c shall be in the attractor). However, such t may not be visible by cr. Therefore, HE' : (7~ A Esc) 
creates those states without any visible escape, i.e., without any other visible and enabled interactions 
under the local view of the chosen interaction. These states form the set of new bad states newBadStates 
due to architectural limitations. Finally, Part C of the algorithm extracts 7/ (similar to extracting T in 
B.2). 

Algorithm[3]terminates, since the number of states that can be added to Attr (by compute, risk.attr) 
and NestedAttr posr (in the outer-loop) is finite. The following proposition is used to detect the infeasibil- 
ity of distributed priority synthesis problems. 

Proposition 4 Assume when executing the fix algorithm, only cr <t , where cr <t 6p, is evaluated to 
true. If the encoding of the initial state is contained in NestAttr env (C r i s k U Cdead), then the distributed 
priority synthesis problem for S with C r i s k is infeasible. 

(Example in Fig. We again use the encoded game in Fig. [2] to illustrate the underlying algorithm for 
nested-attractor computation. Line 5 computes the attractor {jio, sy, sn}, and then Line 6 to 8 creates the 
set of transitions T = {s?, — > sj, s& — > sio), which are transitions whose source is outside the attractor but 
the destination is inside. Remember that Esc in Line 2 generates a predicate which allows, when cr is 
enabled, only interaction cr itself to be visible. Then newBadStates = 33' : T"A Esc = HE' : {sj, — > sj} = 
{S3}, implying that such a state is also considered as bad. Then in Line 10 add {53} to the new attractor 
and recompute. The computation saturates with the following set of bad states {S2, S3, sy, Jio,^n}- For 
state sq it has the risk edge so^> S2, but it can be blocked by priority a < c (recall in S2 we have visibility 
{a,b,c,d}). For state 58 it has the risk edge sg — > siq, but it can be blocked by priority a < d. Thus 
Tf - {sq — > S2, s% — > s\q}, and from T) we can extract the candidate of the priority fix {a < c,a < d}. 
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Notice that a visible escape is not necessarily a "true escape" as illustrated in Figure [3] It is possible 
that for state c%, for g its visible escape is a, while for a its visible escape is g. Therefore, it only suggests 
candidates of fixing, and in these cases, a feasible fix is derived in a SAT resolution step (Section |4~3]). 



4.3 Fixing Algorithm: SAT Problem Extraction and Conflict Resolution 

The returned value Tf of Algorithm [3] contains not only the risk interactions but also all possible inter- 
actions which are visible and enabled (see Algorithm[T]for encoding, Proposition|2]for result). Consider, 
for example, the situation depicted in Figure 3 and assume that V\s c a , Vis*, V\s c b , Vis*, and Vis£ are the 
only visibility constraints which hold True. If Tf returns three transitions, one may extract fix candidates 
from each of these transitions in the following way. 

• On C2, a enters the nested-risk-attractor, while b,c are also visible from a; one obtains the candi- 
dates {a<b,a< c). 

• On C2, g enters the nested-risk-attractor, while a is also visible from g; one obtains the candidate 
{g<a}. 

• On c%, b enters the nested-risk-attractor, while a is also visible; one obtains the candidate \b < a). 

Using these candidates, one can perform conflict resolution and generate a set of new priorities for 
preventing entry into the nested-risk-attractor region. For example, {a -< c,g < a,b < a} is such a set of 
priorities for ensuring the safety condition. Notice also that the set {a -< b,g < b,b < a) is circular, and 
therefore not a valid set of priorities. 

In our implementation, conflict resolution is performed using SAT solvers. Priority cr\ < o~ 2 is pre- 
sented as a Boolean variable o~\ < a%. If the generated SAT problem is satisfiable, for all variables 
o~\ < o"2 which is evaluated to True, we add priority o~\ < cr 2 to the resulting introduced priority set Pa+. 
The constraints below correspond to the ones for global priority synthesis framework [9 ]. 

• (1. Priority candidates) For each edge t e T) which enters the risk attractor using cr and having 
<T\, . , . , o~ e visible escapes (excluding cr), create clause (Vf=i °~ < 

• (2. Existing priorities) For each priority cr <reP, create clause ( cr < t ). 

• (3. Irreflexive) For each interaction cr used in (1) and (2), create clause (-i cr < cr ). 

• (4. Transitivity) For any 0-1,0-2,0-3 used above, create a clause ((en < cr 2 Acr 2 < 0-3) => en < 0-3). 

Clauses for architectural constraints also need to be added in the case of distributed priority synthesis. 
For example, if cr\ < cr 2 and o"2 -< cr 3 then due to transitivity we shall include priority cr\ < cr^. But if 
Vis^j = False, then cry < 0-3 is not supported by communication. In the above example, as Vis£ = True, 
{a < c,g < a,b < a) is a legal set of priority fix satisfying the architecture (because the inferred priority 
b < c is supported). Therefore, we introduce the following constraints. 

• (5. Architectural Constraint) Given a"i,a"2 € X, if Vis^J? = False, then cr\ < o"2 is evaluated to 
False. 

• (6. Communication Constraint) Given o~\,o-% e X, if Vis^? - False, for any interaction cr 3 € X, if 
Vis^ = Vis^ = True, at most one of cr\ < 0-3 or 0-3 < o~2 is evaluated to True. 

A correctness argument of this fixing process can be found in our extended report (H. 

(Example in Fig. [I} By the nested attractor computation we have created a priority fix candidate {a < 
c,a<d\. Such a fix satisfies the above 6 types of constraints and thus is a feasible solution for distributed 
priority synthesis. 
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Reach({co}) 




Figure 3: Locating fix candidates outside from the nested-risk-attractor. 



5 Implementation 

Our algorithm for solving the distributed priority synthesis problem has been implemented in Java on top 
of the open-source workbench VissBIfj^ for graphically editing and visualizing systems of interacting 
components. The synthesis engine itself is based on the JDD package for binary decision diagrams, and 
the SAT4J prepositional satisfiability solver. In addition, we implemented a number of extensions and 
optimizations (e.g., Proposition [4]) to the core algorithm in Section[4| for lack of space details needed to 
be omitted. 

First, we also use the result of the unsatisnable core during the fix process to guide introducing new 
priorities. E.g., if the fix does not succeed as both <r <t and t < cr are used, the engine then introduces 
cr <t for the next iteration. Then in the next diagnosis process, the engine can not propose a fix of the 
form r -< cr (as to give such a fix by the engine, it requires that when r and cr are enabled while r is 
chosen for execution, cr is also enabled; the enableness of cr contradicts cr -< r). 

Second, we are over-approximating the nested risk attractor by parsimoniously adding all source 
states in T}, as returned from Algorithm [3j to the nested-risk-attractor before recomputing; thereby 
increasing chances of creating a new T) where conflicts can be resolved. 

Lastly, whenever possible the implementation tries to synthesize local controllers without any state 
information. If such a diagnosis-fixing fails, the algorithm can also perform a model transformation of 
the interacting components which is equivalent to transmitting state information in the communication. 
In order to minimize the amount of state information that is required to communicate, we lazily extract 
refinement candidates from (minimal) unsatisfiable cores of failed runs of the prepositional solver, and 
correspondingly refine the alphabet by including new state information. Alternatively, a fully refined 
model transformation can eagerly be computed in VissBIP. 



6 Evaluation 

We validate our algorithm using a collection of benchmarking models including memory access problem, 
power allocation assurance, and working protection in industrial automation; some of these case studies 
are extracted from industrial case studies. Table Q] summarizes the results obtained on an Intel Machine 
with 3.4 GHz Intel Core i7 CPU and 8 GB RAM. Besides runtime we also list the algorithmic extensions 
and optimizations described in Section [5] 

The experiments 1.1 through 1.16 in Table [T] refer to variations of the multiprocessor scheduling 
problem with increasing number of processors and memory banks. Depending on the communication 
architectures the engine uses refinement or extracts the UNSAT core to find a solution. 

: //www6 . in. turn. de/~chengch/vissbip 
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Experiments 2.1 and 2.2 refer to a multi -robot scenario with possible moves in a predefined arena, 
and the goal is to avoid collision by staying within a predefined protection cap. The communication 
architecture is restricted in that the i-th robot can only notify the ((/ + l)%w)-th. 

In experiments 3.1 through 3.6 we investigate the classical dining philosopher problem using various 
communication architectures. If the communication is clockwise, then the engine fails to synthesize 
prioritie^] If the communication is counter-clockwise (i.e., a philosopher can notify its intention to his 
right philosopher), then the engine is also able to synthesize distributed priorities (for n philosophers, n 
rules suffice). Compared to our previous priority synthesis technique, as in distributed priority synthesis 
we need to separate visibility and enabled interactions, the required time for synthesis is longer. 

Experiment 4 is based on a case study for increasing the reliability of data processing units (DPUs) 
by using multiple data sampling. The mismatch between the calculated results from different devices 
may yield deadlocks. The deadlocks can be avoided with the synthesized priorities from VissBIP. 

Finally, in experiment 5, we are synthesizing a decentralized controller for the Dala robot [3], which 
is composed of 20 different components. A hand-coded version of the control indeed did not rule out 
deadlocks. Without any further communication constraints between the components, VissBIP locates the 
deadlocks and synthesizes additional priorities to avoid them. 

7 Related Work 

Distributed controller synthesis is undecidable EOl even for reachability or simple safety conditions iTffl . 
A number of decidable subproblems have been proposed either by restricting the communication struc- 
tures between components, such as pipelined, or by restricting the set of properties under considera- 
tion ||T8l [T71 [T9l [T2l ; these restrictions usually limit applicability to a wide range of problems. Schewe 
and Finkbiner's EH bounded synthesis work on LTL specifications: when using automata-based meth- 
ods, it requires that each process shall obtain the same information from the environment. The method 
is extended to encode locality constraints to work on arbitrary structures. Distributed priority synthe- 
sis, on one hand, its starting problem is a given distributed system, together with an additional safety 
requirement (together with the progress/deadlock-freedom property) to ensure. On the other hand, it is 
also flexible enough to specify different communication architectures between the controllers such as 
master-slave in the multiprocessor scheduling example. To perform distributed execution, we have also 
explicitly indicated how such a strategy can be executed on concrete platforms. 

Starting with an arbitrary controller Katz, Peled and Schewe |[T6l [131 propose a knowledge-based 
approach for obtaining a decentralized controller by reducing the number of required communication be- 
tween components. This approach assumes a fully connected communication structure, and the approach 
fails if the starting controller is inherently non-deployable. 

Bonakdarpour, Kulkarni and Lin [6] propose methods for adding fault-recoveries for BIP compo- 
nents. The algorithms in [[5J are orthogonal in that they add additional behavior, for example new 
transitions, for individual components instead of determinizing possible interactions among components 
as in distributed priority synthesis. However, distributed synthesis described by Bonakdarpour et al. 
is restricted to local processes without joint interactions between components. 

Lately, the problem of deploying priorities on a given architecture has gained increasing recogni- 
tion IH ; the advantage of priority synthesis is that the set of synthesized priorities is always known to 

4 Precisely, in our model, we allow each philosopher to pass his intention over his left fork to the philosopher of his left. 
The engine uses Proposition 4 and diagnoses that it is impossible to synthesize priorities, as the initial state is within the 
nested-risk-attractor. 
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Table 1 : Experimental results on distributed priority synthesis 



Index 


Testcase and communication architecture 


Components 


Interactions 


Time (seconds) 


Remark 


1.1 


4 CPUs with broadcast A 


8 


24 


0.17 


X 


1.2 


4 CPUs with local A, D 


8 


24 


0.25 


A 


1.3 


4 CPUs with local communication 


8 


24 


1.66 


R 


1.4 


6 CPUs with broadcast A 


12 


36 


1.46 


RP-2 


1.5 


6 CPUs with broadcast A, F 


12 


36 


0.26 


X 


1.6 


6 CPUs with broadcast A, D, F 


12 


36 


1.50 


A 


1.7 


6 CPUs with local communication 


12 


36 


_ 


fail 


1.8 


8 CPUs with broadcast A 


16 


48 


8.05 


RP-2 


1.9 


8 CPUs with broadcast A, H 


16 


48 


1.30 


X 


1.10 


8 CPUs with broadcast A, D, H 


16 


48 


1.80 


X 


1.11 


8 CPUs with broadcast A, B, G, H 


16 


48 


3.88 


RP-2 


1.12 


8 CPUs with local communication 


16 


48 


42.80 


R 


1.13 


10 CPUs with broadcast A 


20 


60 


135.03 


RP-2 


1.14 


10 CPUs with broadcast A, J 


20 


60 


47.89 


RP-2 


1.15 


10 CPUs with broadcast A, E, F, J 


20 


60 


57.85 


RP-2 


1 16 


10 CPUs with loc£il comiTiuiiic3.tioii A, B, E, F, I, J 


20 


60 


70 87 


RP-2 


2.1 


4 Robots with 12 locations 


4 


16 


1 1.86 


RP-1 


2.2 


6 Robots with 12 locations 


6 


24 


71.50 


RP-1 


3.1 


Dining Philosopher 10 (no communication) 


20 


30 


0.25 


imp 


3.2 


Dining Philosopher 10 (clockwise next) 


20 


30 


0.27 


imp 


3.3 


Dining Philosopher 10 (counter-clockwise next) 


20 


30 


0.18 


x (nor: 0.16) 


3.4 


Dining Philosopher 20 (counter-clockwise next) 


40 


60 


0.85 


x,g (nor: 0.55) 


3.5 


Dining Philosopher 30 (counter-clockwise next) 


60 


90 


4.81 


x,g (nor: 2.75) 


4 


DPU module (local communication) 


4 


27 


0.42 


X 


5 


Antenna module (local communication) 


20 


64 


17.21 


RP-1 



x Satisfiable by direct fixing (without assigning any priorities) 
A Nested-risk-attractor over-approximation 
R State-based priority refinement 

Rp ~ 1 Using UNSAT core: start with smallest amount of newly introduced priorities 

RP ~ 2 Using UNSAT core: start with a subset of local non-conflicting priorities extracted from the UNSAT core 

fail p a j[ tQ S y n thesize priorities (time out > 150 seconds using RP-1) 

lmp Impossible to synthesize priorities from diagnosis at base-level (using Proposition 4) 

g Initial variable ordering provided (the ordering is based on breaking the circular order to linear order) 

nor Priority synthesis without considering architectural constraints (engine in (9)) 

be deployable. 

8 Conclusion 

We have presented a solution to the distributed priority synthesis problem for synthesizing deploy- 
able local controllers by extending the algorithm for synthesizing stateless winning strategies in safety 
games |[T0l l9ll. We investigated several algorithmic optimizations and validated the algorithm on a wide 
range of synthesis problems from multiprocessor scheduling to modular robotics. Although these ini- 
tial experimental results are indeed encouraging, they also suggest a number of further refinements and 
extensions. 

The model of interacting components can be extended to include a rich set of data types by either us- 
ing Boolean abstraction in a preprocessing phase or by using satisfiability modulo theory (SMT) solvers 
instead of a prepositional satisfiability engine; in this way, one might also synthesize distributed con- 
trollers for real-time systems. Another extension is to to explicitly add the faulty or adaptive behavior by 
means of demonic non-determinism. 

Distributed priority synthesis might not always return the most useful controller. For example, for 



Cheng, Yan, Bensalem, Ruess 



71 



the Dala robot, the synthesized controllers effectively shut down the antenna to obtain a deadlock-free 
system. Therefore, for many real-life applications we are interested in obtaining optimal, for example 
wrt. energy consumption, or Pareto-optimal controls. 

Finally, the priority synthesis problem as presented here needs to be extended to achieve goal-oriented 
orchestration of interacting components. Given a set of goals in a rich temporal logic and a set of 
interacting components, the orchestration problem is to synthesize a controller such that the resulting 
assembly of interacting components exhibits goal-directed behavior. One possible way forward is to 
construct bounded reachability games from safety games. 

Our vision for the future of programming is that, instead of painstakingly engineering sequences of 
program instructions as in the prevailing Turing tarpit, designers rigorously state their intentions and 
goals, and the orchestration techniques based on distributed priority synthesis construct corresponding 
goal-oriented assemblies of interacting components |[22l . 
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